Attributes and I-WLAN Policies
To create a profile, you configure attribute lists and an I-WLAN policy for each 3GPP WLAN service scenario. Attribute lists specify attribute values that are placed in the response, and are typically used to provide additional parameters needed to complete authorization. The order in which the attributes are placed in the response is user-defined. The I-WLAN policy is a list of rules governing authorization.
The ordered lists of attributes you can define for each profile in the IMS AAA Server provide powerful tools for authorizing subscriber requests.
The IMS AAA Server supports the following authorization attribute lists:
The attributes to be set in response feature allows you to specify which attributes you want set in the response to the client. This feature, always replaces all instances of a particular attribute with its locally configured attribute. Only one locally configured value of any attribute can exist.
To create an attribute return list, you select the attributes you want to return in the response from a predefined list. For each attribute, the IMS AAA Server Administrator prompts you to enter values using familiar data types such as string, integer, or network address. You then place the attributes in the order in which you want them to be sent in the response.
By including appropriate attributes in the response list, you can create a variety of connection policies. For example, specific subscribers can be assigned particular IP addresses; IP header compression can be turned on or off; or a time limit can be assigned to the connection.
The attributes to be copied from downstream feature allows you to specify which attributes you want to copy from a downstream server response. This feature always adds all instances of a particular attribute from the downstream server response to the response sent to the client.
For example, if the IMS AAA Server is in a visited network (VPLMN) being accessed by a roaming subscriber. In this case, the subscriber's home 3GPP AAA server is responsible for performing session authorization. When the IMS AAA Server in the VPLMN receives the request from the roaming subscriber, it proxies the request to the subscriber's home server (HPLMN). The home server performs the authorization and returns the response to the IMS AAA Server in the VPLMN. The IMS AAA Server uses the list of attributes to be copied from downstream, to select which attributes are copied from the HSS or home server response, and in what order they are to be placed in the final response it sends to the WLAN or PDG.
To create an attribute copy list, you select the attributes you want to copy from the downstream server response from a predefined list. You do not enter values for the attributes; the values are copied from the downstream server response. You then place the attributes in the order in which you want them to be sent in the response.
NOTE: Only attributes that are in the original response from the downstream server may be copied. If the ordered list includes an attribute that is not in the response from the downstream server, the attribute will not be copied in the final response to the client.
The Periodic Reauthorization feature provides a set of attributes that instruct the WLAN to initiate reauthorization requests automatically. The IMS AAA Server uses two attributes for this instruction: Session-Timeout and Termination-Action. The Session-Timeout attribute value is configurable (as the Reauthorization Interval) in seconds. This attribute sets the maximum number of seconds of service to be provided to the subscriber. The server sends this attribute to the client in the response. The value of the Termination-Action attribute instructs the WLAN to perform what is necessary after Session-Timeout elapses.
Combining Attribute Lists
You can create any combination of the above attribute authorization lists you require. For example, you can configure the profile with both return lists and copy lists. This allows the visited IMS AAA Server to add its own level of authorization by copying some attributes from the downstream server response, as well as setting some attributes in the response.
Figure 55 illustrates using a combination of attribute lists. In this illustration, some attributes are copied from the downstream server response, while others are set in the final response by the visited IMS AAA Server.
Using Attribute Lists
This section provides an example of using the Set attribute in response and Copy attribute from downstream features separately and in combination.
Example of Using the Attributes to Be Set in Response Feature
The attributes to be set in response feature, always replaces all instances of a particular attribute with its locally configured attribute. Only one locally configured value of any attribute can exist. So, if the response contains three instances of the Framed-MTU attribute with values 1, 2 and 3, and you configure the attributes to be set in the response feature to set the Framed-MTU attribute with a value of 2, the net result will be that the final response contains only one instance of the Framed-MTU attribute with a value of 2.
Example of Using the Attributes to Be Copied from Downstream Feature
The attributes to be copied from downstream feature adds all instances of a particular attribute from the downstream server response to the final response sent to the client. So, if the response already contains two instances of the Framed-MTU attribute with values 2 and 5, and the response from the downstream server contains three instances of the Framed-MTU attribute with values 1,2 and 3, and you configure the attributes to be copied from downstream feature to copy the Framed-MTU attribute, the net result will be that the response to the client contains five instances of the Framed-MTU attribute with the values 2, 5, 1, 2, 3.
Example of Using Both Features Together
When using both of these features in combination for the same attribute, the order in which they appear in the attribute list is very important since it defines what the attribute value will be in the final response to the client.
For example, if the order of the attribute list is: set the Framed-MTU attribute to a value of 1, and then copy the Framed-MTU attribute value, the final response to the client will have multiple instances of the Framed-MTU attribute. First the attributes to be set in response feature will replace any existing values in the response for the Framed-MTU attribute and set the value to 1. Then the attributes to be copied from downstream feature will add any instances of the Framed-MTU attribute to the final response.
On the other hand, if the attribute list is configured to copy the Framed-MTU attribute from the downstream response first, and then set the Framed-MTU attribute to a value of 1, the final response to the client will only contain one instance of the Framed-MTU attribute=1 because the attributes to be set in response feature will overwrite the attributes to be copied from downstream feature.
The value of each attribute has a well-defined data type: numeric, string, IP address, time, or hexadecimal. For example, Callback-Number is of type string and contains a telephone number, while NAS-Port-Type is an item from a list, and can be Sync, Async, and so forth.
NOTE: IMS AAA Server supports signed integers (negative numbers) for attributes received in packets and processing relating to those attributes. However, IMS AAA Server Administrator does not support signed integers, and treats signed and unsigned integers as unsigned integers.
Single- and Multi-Valued Attributes
Attributes can be single- or multi-valued. Single-valued attributes appear at most once in the response; multi-valued attributes may appear several times.
If an attribute appears more than once in the response list, each value of the attribute is sent as part of the response packet. For example, to enable both IP and IPX header compression for a subscriber, the Framed-Compression attribute should appear twice in the response list: once with the value VJ-TCP-IP-header-compression and once with the value IPX-header-compression.
The order in which attributes appear in the response is user defined. In addition, an attribute can appear more than once in the response, and the order in which the attributes appear is important.
For Diameter, if the request from the client included a request for authorization, a successful response must include the authorization AVPs (attribute value pairs) that are relevant to the service being provided.
I-WLAN policies are lists of rules governing authorization. An I-WLAN policy must be configured for each 3GPP WLAN service scenario in the local profile. To create an I-WLAN policy, you select the I-WLAN policy from a predefined list, and where required, enter specific values for the policy. The following I-WLAN policies are supported by the IMS AAA Server.
I-WLAN Authorized W-APNs
The I-WLAN Authorized W-APNs policy specifies which W-APNs the subscriber is allowed to access (visited or home PLMN). Charging data for the W-APN is also defined in this policy.
I-WLAN Allowed Visited Networks
The I-WLAN Allowed Visited Networks policy specifies which VPLMNs the subscriber is allowed to access (when roaming). During the authorization process, if the server determines the subscriber is roaming, it checks this policy to determine what networks the subscriber is authorized to visit. If the network the subscriber wants to access is listed, or if the Allow All option is selected, the subscriber is granted access to the visited network. If the network is not listed, and the Allow All option is not selected, access to the visited network is denied.
I-WLAN Global Access Dependence
This policy specifies granting of subscriber access to the WLAN 3GPP IP Access service based on whether the subscriber has previously been authenticated or not for WLAN Direct IP Access.
I-WLAN Global Maximum Number of Accesses
This policy specifies the global maximum number of concurrent authorizations the subscriber is allowed per W-APN.
I-WLAN Global Maximum Subscribed Bandwidth
This policy specifies the global maximum bandwidth for the subscriber.
Global Wireless LAN Access
This policy allows mobile operators to bar 3GPP and WLAN interworking subscriptions.
Global WLAN 3GPP IP Access
This policy allows mobile operators to disable all W-APNs for a subscriber at one time.
Global WLAN Direct IP Access
This policy specifies whether or not the subscriber is authorized for WLAN Direct IP Access which allows direct access to external IP networks, such as, Internet, from the WLAN.
Global Charging Data
This policy defines the Global Charging Data which is used as the default for any parameter that is not specified more specifically in the I-WLAN Authorized W-APNs policy. The charging functions defined in the I-WLAN Authorized W-APNs policy take priority over these global functions.
NOTE: Global attributes will be interpreted as the default to be used, only if the attribute is not defined for the current W-APN. For example, if a value for Maximum Number of Accesses is specified in the I-WLAN Authorized W-APNs policy, it will take precedent over any value set in I-WLAN Global Maximum Number of Accesses.
Detailed descriptions of these policies are provided in Configuring an I-WLAN Policy for the Local Profile.